Short Bytes: WikiLeaks has recently published new documents, revealing new CIA malware implants. The first implant, named BothanSpy, targets SSH client Xshell on Windows machines. The second implant, called Gyrfalcon, targets OpenSSH clients on Linux system. Both implants are capable of stealing user credentials and spying on the session traffic.While Windows users were getting affected by new threats like WannaCry and Petya/NotPetya, Linux users stayed untouched. However, this doesn’t mean that Linux is an unhackable operating system. Just last week I told you about CIA’s OutlawCountry malware that targetted Linux machines using malicious kernel modules.
Today, I’m going to tell you about two more CIA malware unveiled by WikiLeaks, as a part of the ongoing Vault 7 leak, which target Windows and Linux computers and steal SSH credentials and session traffic. Talking specifically about the tools, they are implants, which are basically malware payloads.
So, let’s tell you about these SSH hacking tools one by one in brief:
BothanSpy implant for Windows
As described by WikiLeaks in BothanSpy’s description, it’s an implant that targets SSH client Xshell for Windows. The implant is installed as a Shellterm 3.x extension on the user’s machine.
The program credentials are either username and password, which are stolen for all active SSH sessions. By using the Fire and Collect (F&C) channel, the stolen credentials are exfiltrated. Before running BothanSpy on a target machine, one needs to start the F&C handler.
Though not preferred, BothanSpy also works in Fire and Forget (F&F) mode. This mode creates files on the machine that contain the credential passed from Xshell, with AES-256 encryption.
You can read further technical details on BothanSpy in this leaked document. If you’re a Star Wars fan, you’ll love the references!
Gyrfalcon implant for Linux
Moving on to Linux machines, CIA’s Gyrfalcon implant targets OpenSSH clients on Linux-based operating systems like CentOS, RHEL, Ubuntu, SUSE, Debian, etc. Apart from stealing the user credentials of all active SSH sessions, Gyrfalcon can also collect session traffic.
Gyrfalcon compresses, encrypts, and stores the collected data into a file on the Linux system. By using a third-party application, the collection file is transferred to the attacker.
For using Gyrfalcon, the attacker must have a thorough knowledge of Linux/Unix command line and shells like bash, csh, and sh. The user also needs to understand the Linux computing environment for correctly configuring Gyrfalcon. The Gyrfalcon library needs to be installed with root privilege.
You can read more details regarding working and installation of Gyrfalcon in this leaked manual.
Read our complete WikiLeaks: Vault 7 coverage